CVE-2022-2785 - OpenCVE

There exists an arbitrary memory read within the Linux Kernel BPF - Constants provided to fill pointers in structs passed in to bpf_sys_bpf are not verified and can point anywhere, including memory not owned by BPF. An attacker with CAP_BPF can arbitrarily read memory from anywhere on the system. We recommend upgrading past commit 86f44fcec22c

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

Configuration 1 [-]

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://git.kernel.org/bpf/bpf/c/86f44fcec22c
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=86f44fcec22c
https://lore.kernel.org/bpf/20220816205517.682470-1-zhuyifei%40google.com/T/#t
https://nvd.nist.gov/vuln/detail/CVE-2022-2785
https://www.cve.org/CVERecord?id=CVE-2022-2785

History

No history.

MITRE

Status: PUBLISHED

Assigner: Google

Published: 2022-09-23T11:10:08.764098Z

Updated: 2024-09-17T03:49:02.183Z

Reserved: 2022-08-11T00:00:00

Link: CVE-2022-2785

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-09-23T11:15:09.510

Modified: 2023-11-07T03:46:53.227

Link: CVE-2022-2785

Redhat

Severity : Moderate

Publid Date: 2022-08-10T00:00:00Z

Links: CVE-2022-2785 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "Kernel", "vendor": "Linux Kernel", "versions": [{"lessThan": "af2ac3e13e45", "status": "affected", "version": "5.14", "versionType": "custom"}, {"lessThan": "b1d18a7574d0", "status": "affected", "version": "5.18", "versionType": "custom"}]}], "datePublic": "2022-08-07T00:00:00", "descriptions": [{"lang": "en", "value": "There exists an arbitrary memory read within the Linux Kernel BPF - Constants provided to fill pointers in structs passed in to bpf_sys_bpf are not verified and can point anywhere, including memory not owned by BPF. An attacker with CAP_BPF can arbitrarily read memory from anywhere on the system. We recommend upgrading past commit 86f44fcec22c"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-23T11:10:08", "orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://git.kernel.org/bpf/bpf/c/86f44fcec22c"}, {"tags": ["x_refsource_MISC"], "url": "https://lore.kernel.org/bpf/20220816205517.682470-1-zhuyifei%40google.com/T/#t"}], "source": {"discovery": "INTERNAL"}, "title": "Arbitrary Memory read in BPF Linux Kernel", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@google.com", "DATE_PUBLIC": "2022-08-07T22:00:00.000Z", "ID": "CVE-2022-2785", "STATE": "PUBLIC", "TITLE": "Arbitrary Memory read in BPF Linux Kernel"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Kernel", "version": {"version_data": [{"version_affected": "<", "version_name": "5.14", "version_value": "af2ac3e13e45"}, {"version_affected": "<", "version_name": "5.18", "version_value": "b1d18a7574d0"}]}}]}, "vendor_name": "Linux Kernel"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "There exists an arbitrary memory read within the Linux Kernel BPF - Constants provided to fill pointers in structs passed in to bpf_sys_bpf are not verified and can point anywhere, including memory not owned by BPF. An attacker with CAP_BPF can arbitrarily read memory from anywhere on the system. We recommend upgrading past commit 86f44fcec22c"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-125 Out-of-bounds Read"}]}]}, "references": {"reference_data": [{"name": "https://git.kernel.org/bpf/bpf/c/86f44fcec22c", "refsource": "MISC", "url": "https://git.kernel.org/bpf/bpf/c/86f44fcec22c"}, {"name": "https://lore.kernel.org/bpf/20220816205517.682470-1-zhuyifei@google.com/T/#t", "refsource": "MISC", "url": "https://lore.kernel.org/bpf/20220816205517.682470-1-zhuyifei@google.com/T/#t"}]}, "source": {"discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:46:04.562Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://git.kernel.org/bpf/bpf/c/86f44fcec22c"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lore.kernel.org/bpf/20220816205517.682470-1-zhuyifei%40google.com/T/#t"}]}]}, "cveMetadata": {"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "assignerShortName": "Google", "cveId": "CVE-2022-2785", "datePublished": "2022-09-23T11:10:08.764098Z", "dateReserved": "2022-08-11T00:00:00", "dateUpdated": "2024-09-17T03:49:02.183Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C4201D89-FEDA-413D-80CA-8E240505B4CA", "versionEndExcluding": "2022-08-10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "There exists an arbitrary memory read within the Linux Kernel BPF - Constants provided to fill pointers in structs passed in to bpf_sys_bpf are not verified and can point anywhere, including memory not owned by BPF. An attacker with CAP_BPF can arbitrarily read memory from anywhere on the system. We recommend upgrading past commit 86f44fcec22c"}, {"lang": "es", "value": "Se presenta una lectura de memoria arbitraria dentro del BPF del Kernel de Linux - Las constantes proporcionadas para rellenar los punteros en los structs pasados a bpf_sys_bpf no son verificados y pueden apuntar a cualquier lugar, incluyendo la memoria que no es propiedad de BPF. Un atacante con CAP_BPF puede leer arbitrariamente la memoria de cualquier parte del sistema. Recomendamos actualizar el commit pasado 86f44fcec22c"}], "id": "CVE-2022-2785", "lastModified": "2023-11-07T03:46:53.227", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2022-09-23T11:15:09.510", "references": [{"source": "cve-coordination@google.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://git.kernel.org/bpf/bpf/c/86f44fcec22c"}, {"source": "cve-coordination@google.com", "url": "https://lore.kernel.org/bpf/20220816205517.682470-1-zhuyifei%40google.com/T/#t"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-125"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}

{"bugzilla": {"description": "kernel: out-of-bounds read due to improper check of bpf_sys_bpf() arguments", "id": "2129419", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129419"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-125", "details": ["There exists an arbitrary memory read within the Linux Kernel BPF - Constants provided to fill pointers in structs passed in to bpf_sys_bpf are not verified and can point anywhere, including memory not owned by BPF. An attacker with CAP_BPF can arbitrarily read memory from anywhere on the system. We recommend upgrading past commit 86f44fcec22c", "An out-of-bounds (OOB) memory read problem was found in bpf in the Linux kernel's kernel/bpf/syscall.c function due to an improper check of bpf_sys_bpf() arguments. The bounds check failure allows a local attacker to access out-of-bounds memory, leading to a leak of internal kernel information."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2022-2785", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2022-08-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-2785\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-2785\nhttps://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=86f44fcec22c"], "statement": "The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space.\nFor the Red Hat Enterprise Linux 7 the eBPF for unprivileged users is always disabled.\nFor the Red Hat Enterprise Linux 8 to confirm the current state, inspect the sysctl with the command:\n# cat /proc/sys/kernel/unprivileged_bpf_disabled\nThe setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw.\nA kernel update will be required to mitigate the flaw for the root or users with CAP_SYS_ADMIN capabilities.", "threat_severity": "Moderate", "upstream_fix": "kernel 5.19 rc8"}